RH-ISAC wrapped up the last of five Regional Intelligence Workshops in July. These workshops, sponsored by SpyCloud, were all sold out and brought together security practitioners from various regions across the U.S. to discuss topics relevant to their local security community. Initially, we planned for in-person workshops, but we quickly moved to fully virtual programs to ensure the safety of all participants. As we navigated through murky waters brought on by unprecedented times, our hosts, speakers, sponsors, and internal team approached the world of virtual programs head-on and the spirit of serving our members, and we came out the other end proud of what we achieved!
Of all the insights gained at the workshops, one key theme stood out among them all: we are more alike than we are different, and we are not alone in our fight against cybercrime.
More than 150 RH-ISAC members and prospective members from over 60 retail and hospitality companies participated in interactive breakout sessions and listened to presentations from cybersecurity leaders in their community. Many participants said these virtual workshops felt like they were actually in-person. As Grant Sewell, director of information technology security at Safelite, described from his experience at the virtual workshop he hosted:
“This workshop was a great experience. Everyone was so engaged; it was like we were all sitting together. It was a great balance of social and professional interaction — just eating lunch together and sharing a drink at happy hour afterward made it feel like a typical RH-ISAC event. The event truly demonstrated the resiliency of our sector, adjusting to any situation in difficult times.”
During each workshop, we held a series of facilitated breakout sessions that allowed attendees to have organic discussion in a round-robin format to open up about their security operations. Below are some key findings and highlights from the workshop series:
RH-ISAC Regional Intelligence Workshop Series Highlights
Security Operations Snapshot
- Team size varies widely from organization to organization, but growth remains a common theme among practitioners – as both a solution to challenges faced within information security, and as a critically important mechanism to keep pace with business growth.
- A common challenge among attendees is disrupting siloed groups to eliminate redundancy, duplication of effort, and to maintain integrations especially now that everyone is working from home.
- Many participants brought up the importance of documentation, formalizing processes, and monitoring and consolidating platform and tool use to ensure central coordination and streamlined workflows.
Tools, Workflows, & Processes
- Every Threat Intelligence Platform (TIP) and security toolset stack is different, which is why it’s so important to hire someone who understands threat intelligence and teach them cyber rather than the other way around.
- A key challenge mentioned by attendees is not having a big enough team to build, maintain, and monitor simultaneously, but playbooks and workflows around common alerts are easy ways to quickly automate processes.
- The process of sharing through the RH-ISAC is different company by company based on what works best for the organizational ecosystem. Participants encourage new members to circle up internally to determine what their organizational guardrails are around sharing so they can build process.
Timeline of a Breach: Where & How Criminals Are Causing You the Most Damage
Chip Witt, vice president of product management at SpyCloud, covered a case study of a lengthy targeted attack on an executive, detailing the alarming and increasingly common threat of targeted account takeover and identity theft attacks. As one attendee described, “This is one of the best account takeover presentations that I’ve ever seen, and I’ve seen a lot!”
During the session, Chip explained that though targeted attacks account for 10% of attacks by volume, they cause 80% of the losses for businesses. These manual, creative, and highly effective attacks performed by humans, not bots, occur in the 18-24 months following the breach, and leverage varied techniques including blackmail, bypassing multi-factor authentication (MFA) via phishing and social engineering, and thwarting SMS-based two-factor authentication with SIM swapping. It can be years before the breached data shows up on darknet marketplaces for sale to less sophisticated criminals who will leverage it for automated credential stuffing attacks at scale. By that point, the data is considered a commodity.
SpyCloud asserts that early breach detection is key to reducing risk, along with continuous monitoring, forcing the use of multi-factor authentication and password managers, ending mandatory password rotation policies that entice users to revert to well-worn passwords, and adopting a zero–trust policy on links and attachments from unknown senders. Check out SpyCloud’s resource library to see more details on account takeover prevention.
RH-ISAC members can view all slides that have been approved to share on the events space of the Collaboration Portal.
Another thank you to our attendees, presenters, and our hosts: Brinker International, Safelite, Lowe’s, Columbia Sportswear, and Staples. And a big thank you to our sponsor, SpyCloud, for your continued support and help with making the 2020 Regional Intelligence Workshops happen! These collaborative events are so important to building and maintaining networks and establishing trust among information sharing organizations.
We can’t wait to see you online and in-person for our 2021 workshops!